RE: [exim] How to Reject Remote Mail Server Imposters (to se…

Top Page
Delete this message
Reply to this message
Author: Herb Martin
Date:  
To: 'Mailinglist EXIM'
Subject: RE: [exim] How to Reject Remote Mail Server Imposters (to self)
> This is great. Tx!
> I've already started to incorporate some of the rules
> provided by Suresh and Mark who wrote on this before, but
> this seems much more comprehensive.
>


You're welcome.

Please post anythign you work out, find, or improve.

I borrowed much of this and adapted the rest from those
sources and/or ideas from other products.

Tonight I just got the two "warn"s, on Invalid HELO or
NO reverse record, into the Greylisting and it started
catching right away.

I also added a regex for likely "dynamic addresses" on
both $sender_host_name AND $sender_Helo_name -- it
bothers me to block on these tests, but using them
to DRIVE the greylist seems like the best of all choices.

Greylisting is up to 83% "never returns" -- only 17%
of the greylisted senders bother to try again and so
far I haven't found any evidence of losing anything to
the greylist. (I do see SOME good, but low priority
mail being delay, but not much of that since we only
send the "smelly" mail through the greylist test.)

Combining the Blacklists to DRIVE the Greylist was already
very effect, adding the warns to do that without a "cold
block" is helping.

Next project is to see about driving SpamAssassin "high
scores" back through the greylist to cover that stuff
coming from 1) static looking addresses 2) not in blacklists
3) Valid helo, etc BUT WITH that high SA score.

No test is an "all or nothing" decision -- it takes at least
two separate tests for the greylist to cause a block and that
second test is only if the sending server doesn't do SMTP
retries.

I also started adding some simple "block" if these patterns
are seen right into the Exim config (but this will get moved
to an include file soon.)


Herb Martin, MCT, MCSD, MCSE, MVP
HerbM@??? http://LearnQuick.Com
512 388 7339 -or- 1 800 MCSE PRO
Accelerated MCSE in a Week Seminars

> -----Original Message-----
> From: exim-users-bounces@???
> [mailto:exim-users-bounces@exim.org] On Behalf Of Ilan Aisic
> Sent: Thursday, August 04, 2005 2:12 AM
> To: Herb Martin
> Cc: exim-users@???
> Subject: Re: [exim] How to Reject Remote Mail Server
> Imposters (to self)
>
> This is great. Tx!
> I've already started to incorporate some of the rules
> provided by Suresh and Mark who wrote on this before, but
> this seems much more comprehensive.
>
> --ilan
>
> On 8/3/05, Herb Martin <HerbM@???> wrote:
> > > As we know, spammers often fake their identity and their
> mail server
> > > /ratware fakes their identity as well.
> > > I've noticed that occasionaly I get spam that is supposedly sent
> > > from my own server (tivon1.pointer.co.il) but clearly
> arrives from
> > > an outside IP address.
> >
> > I filtered these recently and was SHOCKED how much spam was hit by
> > simply blocking on my "own server name" and "my own server address"
> > given the HELO.
> >
> > > I written a rule in SpamAssassin that rejects this kind
> of spam but
> > > I think it really should be stopped inside Exim.
> >
> > It should be stopped at the SMTP transaction, before even accepting
> > the email.
> >
> > acl_check_helo:
> > accept hosts = : +KNOWN_HOSTS
> >
> > deny    message = HELO/EHLO with my ip address60. You are not me.
> >     log_message = -- HELO/EHLO my ip
> >       condition = ${if match {$sender_helo_name}{68.178.144.60} 
> > {yes}{no}}

> >
> > deny    message = HELO/EHLO with my domain name. You are 
> not LearnQuick.
> >     log_message = -- HELO/EHLO learnquick.com
> >       condition = ${if match {$sender_helo_name}{learnquick.com} 
> > {yes}{no}}

> >
> > deny    message = Fine, then the mail I accept is also none
> >     log_message = -- HELO/EHLO none
> >       condition = ${if match {$sender_helo_name}{none} {yes}{no}}

> >
> > deny    message = You're not localhost--your admin 
> misconfigured your email
> > server.
> >     log_message = -- HELO/EHLO localhost
> >       condition = ${if match {$sender_helo_name}{localhost} 
> {yes}{no}}

> >
> > accept
> > ######################################
> > acl_check_mail:
> >
> > accept authenticated = *
> > accept hosts = : +KNOWN_HOSTS
> >
> > .ifdef RBL
> > accept  message = X-whitelisted-at: $dnslist_domain
> >              dnslists = ALL_DNS_WHITELISTS .endif  RBL

> >
> > #Stopping Spam in the ACL 
> <http://vamos-wentworth.org/exim-tricks.html
> > deny    message = Invalid HELO. Your SMTP server is misconfigured.
> >       condition = ${if match{$sender_helo_name}{\\.}{no}{yes}}

> >
> > ### The following three checks were too agressive for DENY,
> so ### I
> > set to warn, and use them to drive Greylist checks...
> >
> > warn    message = -- not listed as reverse record. \

> >
> >           log_message = -- WARN: not listed as reverse record.

> >
> >         !verify = reverse_host_lookup

> >
> > warn    message = -- listed invalid HELO. \

> >
> >           log_message = -- WARN: listed invalid HELO.

> >
> >         !verify = helo

> >
> > .ifdef RBL
> > warn    message = X-blacklisted-at: $dnslist_domain
> >        dnslists = ALL_DNS_BLACKLISTS

> >
> > .endif RBL
> > accept
> >
> > The combinations of simple sanity checks, other SMTP
> checks, and then
> > blacklists to drive greylisting is FAR better than I
> expected -- and
> > all before we get to SpamAssassin and custom filters....
> >
> > Herb Martin, MCT, MCSD, MCSE, MVP
> > HerbM@??? http://LearnQuick.Com
> > 512 388 7339 -or- 1 800 MCSE PRO
> > Accelerated MCSE in a Week Seminars
> >
> > > -----Original Message-----
> > > From: exim-users-bounces@???
> > > [mailto:exim-users-bounces@exim.org] On Behalf Of Ilan Aisic
> > > Sent: Wednesday, August 03, 2005 9:15 AM
> > > To: exim-users@???
> > > Subject: [exim] How to Reject Remote Mail Server
> Imposters (to self)
> > >
> > > Hi,
> > > As we know, spammers often fake their identity and their
> mail server
> > > /ratware fakes their identity as well.
> > > I've noticed that occasionaly I get spam that is supposedly sent
> > > from my own server (tivon1.pointer.co.il) but clearly
> arrives from
> > > an outside IP address.
> > > I written a rule in SpamAssassin that rejects this kind
> of spam but
> > > I think it really should be stopped inside Exim.
> > > See the short log snippet below where you can see that
> the mail was
> > > sent from a dynamic comcast.net address but the server had the
> > > audacity in the "helo" command to identify itself as
> > > "tivon1.pointer.co.il".
> > > My Exim is configured to require sender verify but apparently it
> > > does not include "server" verify. Is there's a command/parameter
> > > for this?
> > >
> > > -------------  exim log snippet starts ------------
> > > 2005-08-01 00:59:03 1DzLpi-0006TB-7u 
> > > H=c-24-131-41-83.hsd1.ga.comcast.net (tivon1.pointer.co.il) 
> > > [24.131.41.83] F=<atqnscjukax@???> rejected after DATA:
> > > - Classified as spam (scored 28.8 points). Congratulations!
> > > Envelope-from: <atqnscjukax@???>
> > > Envelope-to: <alex@???>
> > > P Received: from c-24-131-41-83.hsd1.ga.comcast.net 
> ([24.131.41.83]
> > > helo=tivon1.pointer.co.il)
> > >       by tivon1.pointer.co.il with smtp (Exim 4.50)
> > >       id 1DzLpi-0006TB-7u
> > >       for alex@???; Mon, 01 Aug 2005 00:58:58 +0300 F 
> > > From: atqnscjukax@???
> > > ------------- exim log snippet ends ------------

> > >
> > > --
> > > Ilan Aisic
> > > Registered Linux User 8124 http://counter.li.org
> > >
> > > --
> > > ## List details at http://www.exim.org/mailman/listinfo/exim-users
> > > ## Exim details at http://www.exim.org/ ## Please use the
> Wiki with
> > > this list - http://www.exim.org/eximwiki/
> > >
> >
> >
>
>
> --
> Ilan Aisic
> Registered Linux User 8124 http://counter.li.org
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>